Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insufficient check are made in the setCollectionPhases function, which could lead to unusable collections #588

Open
c4-submissions opened this issue Nov 8, 2023 · 11 comments
Open

Insufficient check are made in the setCollectionPhases function, which could lead to unusable collections #588

c4-submissions opened this issue Nov 8, 2023 · 11 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-b primary issue Highest quality submission among a set of duplicates Q-24 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L170-L177

Vulnerability details

Impact

No check is being performed on the different parameters of a collection upon creation in the setCollectionPhases function.
This means collection with wrong parameters can be created and be potentially unusable, polluting the MinterContract.

For such collections, most of the core functions of the contract would be unusable. However this vulnerability is only marked as MEDIUM as the setCollectionPhases function can only be called by the collection admin, who can call it several time and fix the errors.

Proof of Concept

Let’s have a look at the setCollectionPhases function below

function setCollectionPhases(uint256 _collectionID, uint _allowlistStartTime, uint _allowlistEndTime, uint _publicStartTime, uint _publicEndTime, bytes32 _merkleRoot) public CollectionAdminRequired(_collectionID, this.setCollectionPhases.selector) {
        require(setMintingCosts[_collectionID] == true, "Set Minting Costs");
        collectionPhases[_collectionID].allowlistStartTime = _allowlistStartTime;
        collectionPhases[_collectionID].allowlistEndTime = _allowlistEndTime;
        collectionPhases[_collectionID].merkleRoot = _merkleRoot;
        collectionPhases[_collectionID].publicStartTime = _publicStartTime;
        collectionPhases[_collectionID].publicEndTime = _publicEndTime;
    }

We can imagine a range of scenarios for a caller to create dysfunctional collections, among which:

  • if _allowlistEndTime < _allowlistStartTime and _publicEndTime < _publicStartTime, the functions burnOrSwapExternalToMint and burnToMint will always revert.

  • if _publicEndTime < _allowlistStartTime and collectionPhases[_collectionId].salesOption == 2), the getPrice function will return a fixed price even though the descending scale is set as exponential

  • if _allowlistStartTime < collectionPhases[_collectionID].timePeriod, the mintAndAuction and the mint functions will revert if lastMintDate[_collectionID] == 0 as collectionPhases[col].allowlistStartTime - collectionPhases[col].timePeriod would underflow.

Tools Used

Manual Review / Visual Studio

Recommended Mitigation Steps

An easy fix would be to add a list of checks in the setCollectionPhases function using multiple require statements as per below.

function setCollectionPhases(uint256 _collectionID, uint _allowlistStartTime, uint _allowlistEndTime, uint _publicStartTime, uint _publicEndTime, bytes32 _merkleRoot) public CollectionAdminRequired(_collectionID, this.setCollectionPhases.selector) {
        require(setMintingCosts[_collectionID] == true, "Set Minting Costs");
        require(_allowlistStartTime < _allowlistEndTime, “start after end”);
        require(_publicStartTime < _publicEndTime, “start after end”);
        require(_allowlistEndTime <= _publicStartTime, “allow list should happen prior to public”);
        require(_allowlistStartTime < collectionPhases[_collectionID].timePeriod, “allow list should be less than period”);
        collectionPhases[_collectionID].allowlistStartTime = _allowlistStartTime;
        collectionPhases[_collectionID].allowlistEndTime = _allowlistEndTime;
        collectionPhases[_collectionID].merkleRoot = _merkleRoot;
        collectionPhases[_collectionID].publicStartTime = _publicStartTime;
        collectionPhases[_collectionID].publicEndTime = _publicEndTime;
}

This would prevent all the scenarios listed above and ensure the contract does not get polluted with odd collections.

We should also ensure that the setCollectionCosts function cannot be called again after setting the phases, meaning we should add a require statement like so require(setMintingCosts[_collectionID] == true, "Set Minting Costs"); in the setCollectionCosts.

Assessed type

Invalid Validation
@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 8, 2023
c4-submissions added a commit that referenced this issue Nov 8, 2023
@c4-submissions
pipidu83 issue #588
0acb681
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #1274

@c4-pre-sort
Copy link

141345 marked the issue as not a duplicate

@c4-pre-sort c4-pre-sort reopened this Nov 27, 2023
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #478

@c4-judge
Copy link

c4-judge commented Dec 1, 2023

alex-ppg marked the issue as not a duplicate

@c4-judge c4-judge reopened this Dec 1, 2023
@c4-judge c4-judge closed this as completed Dec 1, 2023
@c4-judge
Copy link

c4-judge commented Dec 1, 2023

alex-ppg marked the issue as duplicate of #2033

@c4-judge c4-judge mentioned this issue Dec 4, 2023
Closed
@c4-judge
Copy link

c4-judge commented Dec 4, 2023

alex-ppg marked the issue as selected for report

@c4-judge c4-judge reopened this Dec 4, 2023
@c4-judge c4-judge added primary issue Highest quality submission among a set of duplicates selected for report This submission will be included/highlighted in the audit report labels Dec 4, 2023
@alex-ppg
Copy link

alex-ppg commented Dec 4, 2023

The Warden has described all potential scenarios that would fail if the time stamps have been misconfigured for a collection and has described it in great detail.

The main issue I observe is that the collection can be simply reconfigured to rectify the issue, meaning that a QA severity is better suited than a Medium severity.

I invite the wardens of this and all duplicate exhibits to elaborate on a potential attack path based on this misconfiguration (i.e. loss of funds, unauthorized access to sale type) to upgrade its severity.

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Dec 4, 2023
@c4-judge
Copy link

c4-judge commented Dec 4, 2023

alex-ppg changed the severity to QA (Quality Assurance)

@c4-judge
Copy link

c4-judge commented Dec 4, 2023

alex-ppg marked the issue as grade-a

@c4-judge
Copy link

c4-judge commented Dec 4, 2023

alex-ppg marked the issue as grade-b

@c4-judge c4-judge mentioned this issue Dec 4, 2023
Closed
This was referenced Dec 8, 2023
Open
Closed
Closed
Closed
Open
Open
Closed
Closed
Closed
Open
Closed
Open
Open
Open
@c4-judge
Copy link

c4-judge commented Dec 9, 2023

alex-ppg marked the issue as not selected for report

@c4-judge c4-judge removed the selected for report This submission will be included/highlighted in the audit report label Dec 9, 2023
@cartlex cartlex mentioned this issue Dec 9, 2023
Closed
@C4-Staff C4-Staff added the Q-24 label Dec 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-b primary issue Highest quality submission among a set of duplicates Q-24 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alex-ppg @c4-judge @c4-pre-sort @C4-Staff @c4-submissions